{ "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow", "id" : "2451171", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451171" }, "cwe" : "CWE-131", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow\nThe dma_map_sg tracepoint can trigger a perf buffer overflow when\ntracing large scatter-gather lists. With devices like virtio-gpu\ncreating large DRM buffers, nents can exceed 1000 entries, resulting\nin:\nphys_addrs: 1000 * 8 bytes = 8,000 bytes\ndma_addrs: 1000 * 8 bytes = 8,000 bytes\nlengths: 1000 * 4 bytes = 4,000 bytes\nTotal: ~20,000 bytes\nThis exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:\nWARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405\nperf buffer not large enough, wanted 24620, have 8192\nCap all three dynamic arrays at 128 entries using min() in the array\nsize calculation. This ensures arrays are only as large as needed\n(up to the cap), avoiding unnecessary memory allocation for small\noperations while preventing overflow for large ones.\nThe tracepoint now records the full nents/ents counts and a truncated\nflag so users can see when data has been capped.\nChanges in v2:\n- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing\ninstead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from\nSteven Rostedt)\n- This allocates only what's needed up to the cap, avoiding waste\nfor small operations\nReviwed-by: Sean Anderson ", "A flaw was found in the Linux kernel. When tracing large scatter-gather lists, which are mechanisms for efficient data transfer, the `dma_map_sg` tracepoint can trigger a performance buffer overflow. This can lead to the tracing buffer becoming too small, potentially causing system warnings and affecting the stability of the tracing functionality." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23390\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23390\nhttps://lore.kernel.org/linux-cve-announce/2026032537-CVE-2026-23390-7146@gregkh/T" ], "name" : "CVE-2026-23390", "csaw" : false }